REST API and User Information List Permissions and Breeze.js

Question

Users who are not site collection admins can read from the User Information List without any issues when using http://server.domain.com/_vti_bin_/ListData.svc/UserInformationList but these users get a 404 error when accessing it via http://server.domain.com/_api/web/lists/getbytitle('User Information List'). Site collection admins do not receive a 404 error. Would anyone have any idea why this might be and if there is a work around for this specific end point?

I know that I could use _api/web/siteusers but this is not really preferable when using Breeze.js's SharePoint adapter as it is apparently expecting me to specify the title of a list and I am trying to be consistent in my data context.

EDIT: Actually the siteusers end point does not provide the same data, it really only has a subset. What I have done as a work around was modify my datacontext object to use $http and ListData.svc rather than using breeze. Since I am never modifying the user data it's ultimately not that big of a deal but I'd still like to figure out a better way to do this as ListData.svc is deprecated.

Answer 1

I suppose _vti_bin/ListData.svc and _vti_bin/client.svc (_api) endpoints have different logic for permission checks.

I can reproduce your problem, while logged as a site admin I can access the list, but not as a normal user:

_api/web/lists/getbytitle('User Information List')

What I also have found in the result, is a new (third) link to that hidden list:

_api/web/SiteUserInfoList/

With this link non-site-admins can access the same information. I know you wanted a unified access to that list for you breeze.js sp adapter. But perhaps, this could be a workaround without needing to go back to the old ListData.svc endpoint.